• DocumentCode
    3433899
  • Title

    A security analysis of the OAuth protocol

  • Author

    Feng Yang ; Manoharan, Sathiamoorthy

  • Author_Institution
    Dept. of Comput. Sci., Univ. of Auckland, Auckland, New Zealand
  • fYear
    2013
  • fDate
    27-29 Aug. 2013
  • Firstpage
    271
  • Lastpage
    276
  • Abstract
    The OAuth 2.0 authorization protocol standardises delegated authorization on the Web. Popular social networks such as Facebook, Google and Twitter implement their APIs based on the OAuth protocol to enhance user experience of social sign-on and social sharing. The intermediary authorization code can be potentially leaked during the transmission, which then may lead to its abuse. This paper uses an attacker model to study the security vulnerabilities of the OAuth 2.0 protocol. The experimental results show that common attacks such as replay attacks, impersonation attacks and forced-login CSRF attacks are capable of compromising the resources protected by the OAuth 2.0 protocol. The paper presents a systematic analysis of the potential root causes of the disclosed vulnerabilities.
  • Keywords
    authorisation; cryptographic protocols; social networking (online); API; Facebook; Google; OAuth 2.0 authorization protocol; Twitter; Web; delegated authorization; disclosed vulnerabilities; forced-login CSRF attacks; impersonation attacks; replay attacks; security analysis; social networks; systematic analysis; Authentication; Authorization; Facebook; Google; Protocols; Servers; OAuth; Single sign-on; security vulnerabilities;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Communications, Computers and Signal Processing (PACRIM), 2013 IEEE Pacific Rim Conference on
  • Conference_Location
    Victoria, BC
  • ISSN
    1555-5798
  • Type

    conf

  • DOI
    10.1109/PACRIM.2013.6625487
  • Filename
    6625487